Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
This discussion has been archived. No new comments can be posted.

Changes In Store For PHP V6

Comments Filter:
  • Magic Quotes Removed (Score:3, Informative)

    by iamhigh (1252742) * on Sunday May 11, 2008 @05:53PM (#23371918)

    Citing portability, performance, and inconvenience, the PHP documentation discourages the use of magic_quotes. It's so discouraged that it's being removed from PHP V6 altogether, ... ... If you're using magic_quotes to escape strings for database calls, use your database implementation's parameterized queries, if they're supported. If not, use your database implementation's escape function, such as mysql_escape_string for MySQL or pg_escape_string for PostgreSQL.
    This was discussed just a few days ago in the some what wrongly titled 500 Thousand MS Web Servers Hacked [slashdot.org]
    • Re: (Score:3, Insightful)

      by robo_mojo (997193)
      So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack? Wow, I'd consider that to be a major regression, then.
      • Re: (Score:3, Insightful)

        by The MAZZTer (911996)

        I hope they have some sort of protection against that; specifically, if you have magic_quotes turned on in php.ini (or whatever the linux equivilant is) PHP should refuse to start, perhaps logging an error message which explicitly tells the webmaster magic_quotes is no longer supported, and that it must be turned off, and the possible consequences of using old scripts designed to work with magic_quotes on. This forces the webmaster to actually go into the config file and turn magic_quotes off, and if they

        • Re: (Score:3, Funny)

          by 615 (812754)

          Actually, undoing magic_quotes is quite a bit more involved. Some things to consider:

          • - magic_quotes affects more than just GET, POST and cookie data
          • - GPC data may contain arrays
          • - magic_quotes doesn't process the keys of top-level arrays

          Here's an excerpt from my personal library that addresses these issues and more. It works in PHP 4+ (I forget which minor version). Just give me some credit if you use it!

          // magic_quotes_runtime is _like_ magic_quotes_gpc/sybase, except that it
          // applies to return d

      • So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack?

        Of course not! Since no one has been stupid enough to directly insert submitted strings into SQL before sending it to the server for at least 5 years now, this won't affect any modern code in the slightest.

      • by Quietust (205670) on Sunday May 11, 2008 @11:11PM (#23374008) Homepage

        So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack?
        It would probably be more accurate to say that you will become more vulnerable to SQL injection attacks, since magic_quotes was never 100% foolproof to begin with.
      • Re: (Score:3, Insightful)

        by WWWWolf (2428)

        So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack?

        "The Management would like to announce that we're switching to slot-loading CD-ROM drives next week. We will be reserving more burn ointments in the first aid room for the next week or so and the janitor has been instructed to stock extra tissues in the bathrooms, but people who have been using CD-ROM drives as coffee cup holders should seriously stop using them as coffee cup holders ASAP."

        Magic quotes did the wrong fix that incidentally happened to work for some people. The problem was that people had

    • Re: (Score:3, Informative)

      by jacksonj04 (800021)
      And even more irritatingly, mysql_escape_string() has been deprecated as well. You should use mysql_real_escape_string().
      • by TheLink (130905) on Sunday May 11, 2008 @11:59PM (#23374294) Journal
        But shouldn't you be using mysql_genuine_advantage_escape_string() instead ;).

        It's stupid stuff like that and "Magic Quotes" that make PHP a sad joke.

        Magic Quotes = mixing input layer filtering with output layer filtering = bad. You tend to get data corruption amongst other things.

        Then there's addslashes and friends.

        PHP: "Making The Wrong Ways Easy, and The Right Ways Hard".

        Oh well, I guess php6 is where they are finally trying to do things right now.

        All the pain is because php coders were doing things terribly wrong in the first place. Don't forget the PHP devs were encouraging them to do things wrong for years.
  • Quick summary (Score:5, Informative)

    by Anonymous Coward on Sunday May 11, 2008 @05:55PM (#23371934)
    ... for those too lazy to RTFA:
    Better Unicode support
    Namespaces! (this is being backported to PHP 5.3)
    SOAP and the XML Writer/Reader modules compiled in and enabled by default (also in PHP 5.3)
    magic_quotes, register_globals, register_long_arrays, safe_mode
    ASP-style short tags ()
    Freetype1/GD1 support
    ereg (use of preg encouraged instead).
    • by kestasjk (933987)
      Too bad the backwards-compatibility is going to make migration very slow.. PHP5 is very backwards compatible with PHP4, and the move to PHP5 is still going on, PHP6 will take a long time.
    • safe mode hurray! (Score:3, Informative)

      by remmelt (837671)
      Each time I read that they're ditching safe_mode, I do a little happy dance and shed a tear of delight.

      All the other stuff is great as well, but safemode has made the quality of my life significantly worse in the past.
  • by unity100 (970058) on Sunday May 11, 2008 @06:03PM (#23372008) Homepage Journal
    i am servicing around 350+ clients in a small fish web host. even at that small web host, there are a phletora of different scripts, programs that clients are using to conduct their everyday business, their estores, their livelihood. some of them are dependent and locked-in to the software they are using like a small business company that extensively uses ms products is locked into microsoft.

    regardless, backwards compatibility is important for those people. for starters, these are the people who have chosen php as the platform to conduct their business on, making php a de facto dominant language for the web instead of being a small time web language that was used on web savvy, webmasters. the financial impact of this is going to be huge for them, to adopt to that many changes php dev group started to introduce in the span of 1 to 2 years. this is too much.

    you gotta slow down. or you are going to alienate the small business community from using php with what you are doing. if you break a small estore owner's store script every 1.5 years for 'upgrading', the second time you do it they will jump the language ship.

    do not start to become an elitist group out of touch with the people, increasingly caring for nifty programming issues rather than what would the users think.
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      And forward innovation is not important? Besides, you wouldn't upgrade all 350+ clients at once and in place? Perhaps having two host accounts, one for php5 apps and one for php6? Just a thought.
      • by MROD (101561) on Sunday May 11, 2008 @06:26PM (#23372186) Homepage
        Many commercial PHP-based systems are only now just changing over to PHP5 from PHP4. (Yes, I know...)

        That's the way life is, I'm afraid. Most people who are depending upon these sites and software have no control over the vendors and definitely don't have the ability of fixing the code themselves.

        Changing the API so greatly and so often in a non-backwardly compatible fashion does cause genuine problems.. and hosting sites can't afford to support multiple versions. Well, not unless they charge their customers too higher price for hosting their pages.
    • Just like PHP 4 was supported for a very long time with security updates, so will PHP 5. Your clients won't be obligated to upgrade for many years.

      One major issue with PHP is old cruft, such as magic quotes, that were terrible feature additions in the first place. These are so bad it's really in everyone's best interest to remove them. I think features like POSIX regex, however, should remain because they don't do any harm.
    • Re: (Score:3, Interesting)

      by njcoder (657816)
      Sounds like you're using mod_php. That's a very insecure way to run php in a shared hosting environment and also doesn't give you the ability to run more than one version of php.

      May not seem like a big deal until some idiot doesn't update his scripts and some script kiddie comes along and you get 350 calls from your clients asking you why there's some terrorist propaganda on their website.
      • by unity100 (970058)
        your ears are weak.

        also you should note that, the same customers would make much more stampede when they are asked to pay for development work for their running estores, because php team had decided to deprecate some features, for the second time in 1.5 years.
        • by njcoder (657816)
          sucks to be them
          • php's success compared to other languages like asp, which tried to compete with it and came out about the same time into prominence is due to php becoming more than a small nifty toolset for doing knickknacks on hobby sites and forums. php started to be used for business, and this created a demand for php programmers, and this in turn fueled more entry into language. same did not happen for asp. go check elance. youll see zillions of php projects that are put up, and equally many php developers. search for
            • Re: (Score:3, Informative)

              by CastrTroy (595695)
              Try doing a search on Dice.com, where they post jobs. ASP.Net Developer [dice.com] returns 3626, while PHP developer [dice.com] only returns 1514 jobs. That's less than half. So while PHP may be used by tons of hobbyist coders (I use it myself), ASP.Net is used much more in the business world.
        • by njcoder (657816)
          By the way, you do realize that you don't have to upgrade your server right? You can leave the current version of PHP and everyone will be happy. There are tons of hosts still only offernig php4.

          The part where I said there are ways to run different versions of php for different users didn't seem to register for you either.

          • Yes, actually very soon you will need to update your server. PHP4 is no longer being updated - this means security and all types of other bugs, including data loss/critical bugs. From now on, security updates will NOT be official and subject to people's whim. It's absolutely retarded that you suggest one can stick with PHP4 and be happy. The happiness will only last until there's no fix for their dataloss bug or their system has been hacked.
    • Realistically its not a huge change, just removal of some insecure features. If you must keep these features stay with PHP4, no big deal really.
      • by unity100 (970058)
        the catch is that, quite a many of the prominent scripts that are popular had been using some of those insecure features since some time ago, and there are a lot of people still using those old versions.
    • by fyoder (857358)
      Where I work we have a couple of shared hosting servers which run two apaches, one for php4 and one for php5. It's a bit of a pita, but it works, and for us is easier than forcing clients at gunpoint to upgrade their php4 applications.

      Unless there is a really compelling reason to add a third apache/php, I don't think we'll be quick to adopt this version. The better OO support in php5 made it something we wanted just for the stuff we write, but there doesn't seem to be much in php6 that is that exciting.
      • by unity100 (970058)
        add it to that the fact that clients do not know, or give a damn about oop, and we get the complete picture.
    • Re: (Score:3, Insightful)

      by CastrTroy (595695)
      I'm with dreamhost, and I still have the option to switch my domain over to 4.4.x, although I'm currently running on 5.2.x. I don't see why a webhost with a large number of customers, couldn't support multiple versions of PHP, especially if there was a large number of customers (at least 10-15%) using that particular version.
  • Removing the get_magic_quotes_gpc function altogether seems like the dumb way to handle backwards compatibility, breaking scripts for no good reason. Why not keep the function and just always have it return false?
    • Removing the get_magic_quotes_gpc function altogether seems like the dumb way to handle backwards compatibility, breaking scripts for no good reason. Why not keep the function and just always have it return false?
      I thought that's what they were doing. I know there was some discussion about it on the internals mailing list, but I thought sanity prevailed in that one.
  • by gandhi_2 (1108023) on Sunday May 11, 2008 @06:18PM (#23372138) Homepage
    It was to protect you from the O'Malleys and O'Connors. The PHP framers were obviously fans of Mel Brooks' film, Blazing Saddles: "We'll take the niggers and the chinks but we don't want the Irish". Or I'm missing something.
  • Real change (Score:3, Insightful)

    by Anonymous Coward on Sunday May 11, 2008 @06:33PM (#23372246)
    Make it like a modern language.

    Change . (string concat) to +

    Change -> (pointer-to-member operator) to .

    Done. Huge productivity increases.

    Thank you.
    • ...Wow.

      I can think of a dozen things off the top of my head that would make PHP a better language, or at least make it suck less.

      And this is what you came up with?

      Even of all the syntax tweaks -- and there's so much more that's wrong with PHP than syntax -- I can think of so many more useful things to do than that. In fact, having concatenation be different than addition is a feature, not a bug -- if you add 2 and 2, you always get 4. If you concatenate 2 and 2, you always get 22. With + meaning both, you h
    • Re: (Score:3, Informative)

      by jyurkiw (1273790)
      Ever wondered why they picked the '.' for a concatenation operator over the trusty '+'?

      PHP is a loosely-typed language.

      The '+' is also the arithmetic operator.

      Is a line of code reading
      $c = $a + $b
      adding $a and $b? or is it concatenating them?

      What if $a = 513 and $b = 4201?
      Are we talking about a phone number? Or am I trying to come up with $c = 4714?

      There was a very good reason for having '.' as the concatenation operator.
  • Why PHP sucks (Score:2, Informative)

    by rootpassbird (1276000)
    They've fixed a lot of things that were being complained about under the terms "why php sucks" http://www.google.com/search?q=why+php+sucks [google.com] .
    Related news is that PHP runs much better now on Windows Server 2008, as per the official Zend statement. But I doubt we will see too many people switch to WISP. This is flambait, agreed.
    Also if you now have a PHP-fed brain with no place for anything else, with the new namespaces-on-steroids (http://www.php.net/manual/en/language.namespaces.using.php) change, you'll li
  • by sneakyimp (1161443) on Sunday May 11, 2008 @06:59PM (#23372422)
    I've noticed that every single article here mentioning PHP is immediately tagged 'phpsucks'. I find PHP incredibly expressive and am always surprised by the incredible variety of libraries/modules/plugins to manipulate graphics, flash, pdfs, to support protocols like SOAP, JSON, etc.

    Perhaps we need an article on 'why php sucks' ?
    • by FooAtWFU (699187) on Sunday May 11, 2008 @07:10PM (#23372506) Homepage
      You mean like this? [www.tnx.nl]

      It's not the lack of modules that people complain about. PHP is excessively convenient, if nothing else. :)

    • Re: (Score:2, Informative)

      by diskofish (1037768)
      PHP just makes it really easy to write sloppy code. I switched to doing primarily .NET few years back, and I prefer the more structured environment and compiled code. The only time I touch PHP now is to maintain existing code.
      • by CastrTroy (595695)
        As a fellow .Net developer, I really have to agree. I use PHP for my hobby projects, because it's easy to find a cheap webhost that has it, but I really don't like the unstructured mess that is PHP. Despite the fact that I like to use open source software wherever possible, I have to say that .Net really is quite a bit better than PHP.
    • by mcrbids (148650) on Monday May 12, 2008 @02:56AM (#23375134) Journal
      I've worked with PHP professionally, building a healthy, heavily profitable, and rapidly growing company providing information management services to schools.

      From the simple standpoint of "concept to implementation" - PHP ROCKS. It's very, very fast, requiring little in the way of "planning" and "structuring" while letting the features come out... FAST. It is, bar none, the best RAD environment I've yet worked with. Not that it's the best in every area, but that it clearly has the best balance between features and "gotchas". It has its weaknesses, such as lousy error reporting, but even that can be largely mitigated with a little intelligence in advance. But it really does have a number of key strengths that I leverage to the hilt:

      1) Stability. It just doesn't die. Ever. I've never, ever, ever had a problem with PHP "not working". I don't troubleshoot it. It's there, it works, and I don't sweat it.

      2) Scalability. It's "share nothing" approach makes clusting and random-host selection boil all the way down to a simple session manager. Having 1 or 10 application servers running side-by-side is almost trivial!

      3) Code density = excellent! It's a fairly dense language, meaning that lots can get done in a few lines. Just for giggles, I've written a self-forking, multi-process daemon with a process manager and hundreds of managed children forks performing a deep-level network scan in like 50 lines!

      4) Security. Yes, you heard me correctly. Although you can certainly use PHP "wrong", you can also use it "right". Once you do, you discover that PHP has a number of features that make things like SQL injection and shell parameter expansion a thing of the past. Really. Learn your tools!

      5) Flexibility. You can run it as a module inside Apache. You can run it as a standalone executable. With tools like Ion Cube and PHP-GTK, you can create a cross-platform GUI application without revealing source.

      6) Availability. Any $5/month web hosting company supports PHP, and there are many free ones, as well. You can download a CD, install Linux, and have PHP/Apache up and running in under 10 minutes. There are batrillzions of apps available A LA SourceForge for free. PHP is the most commonly available web development language. And, by no means is it a web-only development language!

      Sorry you can't handle a few quirks in the function names. (so write out a file of wrapper functions - DUH!) Sorry that it's attempts to simplify variable management weren't perfect. Geez. Just code in c and be done with it, why don't you?

      In short, PHP is everything that VB and .NET wished to be, only cross-platform. It's an excellent tool for developing information-processing applications, very, very rapidly. Yes, it has its weaknesses, and nobody's forcing you to use it, and the devs are working on the weaknesses, too. Go use Ruby if it makes you feel good. But PHP works well on Windows, Mac, Linux, BSD, and many others. Seriously: you really can't go too wrong betting on PHP unless you need 3D graphics!
      • Re: (Score:3, Informative)

        by bigtrike (904535)
        I've used PHP for about 7 years now and I've had the entirely opposite experience.

        1. Stability isn't that great. I've run into many glitches over the years and had my share of segmentation faults fixed. Ever run make test on a build? I've never once had PHP pass all of its own unit tests.

        2. PHP is so inefficient with memory that anything but the most simple application can take tens to hundreds of megabytes. This isn't a huge deal though, because gigs of ram are pretty cheap these days.

        3. PHP seems sim
  • by FilthCatcher (531259) on Sunday May 11, 2008 @07:15PM (#23372534) Homepage
    My biggest issue with new PHP changes is fact that the sheer size of the PHP libraries mean that these new features don't bubble through to the whole core.

    For exmaple take the newish try / catch exception features. On first glance you think "finally I can write decent exception handling into my own code" - which is great for your own exceptions but too many of the core functions used by your code or by a framework you're using don't throw exceptions - they indicate an error codition in the function's result.

    So now we're seeing loads of code out there by people trying to do things "The right way (tm)" but it's full of bugs as there's exception conditions being raised by core functions that don't get caught by the catch blocks.

    The line from TFA that concerns me is "Much improved for PHP V6 is support for Unicode strings in many of the core functions"

    Many? That will means developers will start using unicode only to find scattered lines of code throughout the app doesn't work as the core function it uses doesn't support unicode. The overhead of keeping track of which functions do and don't support unicode will be a nightmare.
    • Hopefully they can fix exception support in PHP 6. Currently it breaks in a lot of weird ways which can be nearly impossible to debug. For example, the following code:
      function a() { new DateTime("2007-02-32"); } register_shutdown_function("a");
      Fatal error: Exception thrown without a stack frame in Unknown on line 0
      Tracking down such an error in PHP 5 can be quite time consuming since current debugging solutions only work in very limited situations.
    • by CastrTroy (595695)
      That's the big problem with PHP. They get all these great new features, but since they weren't there in the first place, you can't really take full advantage of them. Take namespaces for example. It's great that they have namespaces now, but it doesn't help when the entire PHP API is completely devoid of namespaces. You mentioned exception handling, where it's nice that they finally have it, but it sucks, because the current API doesn't employ it. Even things like object oriented programming are only
  • Apparently writing about PHP automatically allows using dumb code in examples:

    function is_authorized() {
    if ($expression_that_returns_boolean) {
    return true;
    } else {
    return false;


    echo "Welcome, $_GET['cross_site_scripting_attack']!";

    I guess PHP needs magic_entities ;)
  • This article, and this discussion, reminds me of PHP's biggest issue: compatibility. PHP 4 scripts very often do not work in PHP 5, and vice-versa and so on. It is not unheard of to see these compatibility issues spring up between minor versions, either, and the incredible selection of options that seem to be constantly different do not help.

    For a scripting language where developers are often at the mercy of lazy web hosts, this is unacceptable. I have recently come to the realization that I am lucky certai
    • Re: (Score:3, Insightful)

      by Tetsujin (103070)
      This attitude - that new versions of the language should always support everything the old versions supported - only makes sense if you assume that the initial design was perfectly sound to begin with.

      Had PHP4 been perfectly designed, and perfectly well-suited to what people are now using PHP for, there wouldn't be any need to change it at all. But PHP isn't perfect. They've found ways to make it better. They could fork off a new project containing those changes - but PHP6 is more like PHP5 than not - an

If money can't buy happiness, I guess you'll just have to rent it.